@baseplate-dev/create-project MPL-2.0 22 versions

@baseplate-dev/create-project

npm Repository Homepage

CLI starter kit for creating a new Baseplate project

22

Versions

MPL-2.0

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kingtam2000

Keywords

baseplateclicode-generationdevelopment-toolsfull-stackproject-starterscaffoldingtypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): Intentional env capture in npmrc setup script; expected pattern for credential configuration tooling.	ai	2026/05/10

Versions (showing 22 of 22)

Version	Deps	Published
0.6.9	8 / 9	2026-04-27
0.6.8	8 / 9	2026-04-07
0.6.7	8 / 9	2026-04-01
0.6.6	8 / 9	2026-03-24
0.6.5	8 / 9	2026-03-23
0.6.4	8 / 9	2026-03-16
0.6.3	8 / 9	2026-03-15
0.6.2	8 / 8	2026-03-11
0.3.3	6 / 8	2025-08-17
0.3.2	6 / 8	2025-08-17
0.3.1	6 / 8	2025-08-06
0.3.0	6 / 8	2025-07-31
0.2.6	6 / 8	2025-07-25
0.2.5	6 / 8	2025-07-16
0.2.4	6 / 8	2025-07-12
0.2.3	6 / 8	2025-07-11
0.2.2	6 / 8	2025-07-04
0.2.1	6 / 8	2025-07-01
0.2.0	6 / 8	2025-06-27
0.1.3	6 / 8	2025-06-03
0.1.2	6 / 8	2025-06-02
0.1.1	7 / 6	2025-06-01

v0.6.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.3

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.2

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.1

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.6

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.5

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.4

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.3

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.2

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.1

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.3

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.2

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

2 findings

HIGH env-spread: templates/scripts/setup-npmrc.cjs:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | 19 | // read .env file if present > 20 | const envVars = { ...process.env }; 21 | if (fs.existsSync(envPath)) { 22 | const env = fs.readFileSync(envPath, 'utf8');

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.